Configure Gateway AntiVirus Actions

When you enable Gateway AntiVirus for a proxy policy, you set the actions to be taken if a virus is found or a file cannot be scanned in an:

  • Email message (SMTP, IMAP, or POP3 proxies)
  • Web page download or upload post (HTTP, TCP-UDP, or Explicit proxy)
  • Uploaded or downloaded file (FTP proxy)

Gateway AntiVirus default and maximum scan size limits are set based on the hardware capabilities of each Firebox model. Minimum scan size for all models is 1 MB. Gateway AntiVirus does not scan files larger than the scan limit you set.

The default and maximum scan size limits changed in Fireware v12.0.1. When you upgrade Fireware OS, the Gateway AntiVirus Scan size limit does not automatically change to the new default. We recommend that you update the Scan size limit to the default value for your Firebox model. For more information, go to About Gateway AntiVirus Scan Limits.

You can configure Gateway AntiVirus to take these actions when it identifies a virus or when a scan error occurs:

Allows the packet to go to the recipient, even if the content contains a virus.

Denies the file or email and sends a deny message. You can customize the deny message in the proxy action.

The Deny action is supported for the SMTP-proxy in Fireware OS v12.2.1 and higher.

Locks the attachment. This is a good option for files that cannot be scanned by the Firebox. A file that is locked cannot be opened easily by the user. Only the administrator can unlock the file. The administrator can use a different antivirus tool to scan the file and examine the content of the attachment.

For information about how to unlock a file locked by Gateway AntiVirus, go to Unlock a File Locked by Gateway AntiVirus.

When you use the SMTP proxy with the Gateway AntiVirus security subscription, you can send email messages with viruses, or possible viruses, to the Quarantine Server. The SMTP proxy removes the message part that triggered the scanner and sends the modified message to the recipient. The removed message part is replaced with the deny message configured in the proxy. If the Quarantine Server cannot be contacted, the message is temporarily rejected.

You cannot select the Quarantine action when content exceeds the Gateway AntiVirus scan limit.

For more information on the Quarantine Server, go to About the Quarantine Server. For information on how to set up Gateway AntiVirus to work with the Quarantine Server, go to Configure Gateway AntiVirus to Quarantine Email.

Removes the attachment and sends the rest of the message to the recipient. Replaces the removed attachment with the deny message configured in the proxy.

Drops the packet and drops the connection. No information is sent to the source of the message.

Blocks the packet, and adds the IP address of the sender to the Blocked Sites list.

Gateway AntiVirus actions occur only when a rule in the proxy action is configured with the AV Scan action. For information about how to configure Gateway AntiVirus in rules in a proxy action, go to Enable Gateway AntiVirus in a Proxy Policy.

Configure Gateway AntiVirus Actions for a Proxy

For each proxy action, you can enable Gateway AntiVirus and you can select the actions to take when a virus is detected and when a scan error occurs. Scan errors occur when the process fails or Gateway AntiVirus cannot scan an attachment, such as binhex-encoded messages, certain encrypted files, or password-protected ZIP files. When you set this to Allow, Gateway AntiVirus allows files to pass through the firewall.

When you enable Gateway AntiVirus for a proxy action, this automatically changes the action for rules in the proxy action from Allow to AV Scan.

You can configure the Gateway AntiVirus actions for a proxy in the Gateway AntiVirus settings in the proxy action. Or you can edit the proxy action settings in the Gateway AntiVirus settings. The procedure in this topic uses the second method.

  1. Select Subscription Services > Gateway AV.
    The Gateway AntiVirus configuration page opens.

Screen shot of the Gateway AV configuration page

  1. Select a user-defined proxy action and click Configure.
    The Gateway AntiVirus configuration settings for that proxy action open.

Screen shot of the Gateway AV configuration page

  1. To enable Gateway AntiVirus for this proxy action, select the Enable Gateway AntiVirus check box.
  2. From the When a virus is detected drop-down list, select the action the Firebox takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  3. From the When a scan error occurs drop-down list, select the action the Firebox takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AntiVirus does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.

Select the Quarantine or Lock action to avoid loss of data to scan errors. When you unlock a file, make sure you scan the unlocked file with a local AV scanner.

  1. From the When content exceeds scan size limit drop-down list, select the action the Firebox takes when content exceeds the configured scan size limit. Gateway AntiVirus default and maximum scan size limits are set based on the hardware capabilities of each Firebox model. Minimum scan size for all models is 1 MB. For information about the default and maximum scan limits for each Firebox model, go to About Gateway AntiVirus Scan Limits.
  2. From the When content is encrypted drop-down list, select the action the Firebox takes when Gateway AntiVirus cannot scan a file because it is encrypted (password protected).
  3. To create log messages for the action, select the Log check box. If you do not want to record log messages for an antivirus response, clear the Log check box.
  4. To trigger an alarm for the action, select the Alarm check box. If you do not want to set an alarm, clear the Alarm check box for that action.
  5. In the Scan size limit text box, type the file scan limit in kilobytes. This sets the maximum size file that can be scanned by Gateway AntiVirus and IntelligentAV. For information about the default and maximum scan limits for each Firebox model, go to About Gateway AntiVirus Scan Limits.

The scan limit also controls the maximum size of files that APT Blocker sends for analysis. APT Blocker cannot send files larger than 10 MB for analysis. If you set the Gateway Antivirus scan limit to higher than 10 MB, APT Blocker does not send files larger than 10 MB for analysis.

If the Gateway AntiVirus engine is not available and a request to scan an object is made, the object will be treated as not scannable and return a Scan Request Failed error.

  1. Select Subscription Services > Gateway AntiVirus > Configure.
    The Gateway AntiVirus dialog box opens.

Screen shot of the Gateway AntiVirus dialog box

  1. Select the policy you want to enable Gateway AntiVirus for and click Enable.
    The Gateway AntiVirus status changes to Enabled.
  2. Click Configure.
    The General Gateway AntiVirus Settings for that policy open.

Screen shot of General Gateway AntiVirus Settings page

  1. From the When a virus is detected drop-down list, select the action the Firebox takes if a virus is detected in an email message, file, web page, or web upload. See the beginning of this section for a description of the actions.
  2. From the When a scan error occurs drop-down list, select the action the Firebox takes when it cannot scan an object or an attachment. Attachments that cannot be scanned include binhex-encoded messages, certain encrypted files, or files that use a type of compression that Gateway AntiVirus does not support such as password-protected Zip files. See the beginning of this section for a description of the actions.

Select the Quarantine or Lock action to avoid loss of data to scan errors. When you unlock a file, make sure you scan the unlocked file with a local AV scanner.

  1. From the When content exceeds scan size limit drop-down list, select the action the Firebox takes when content exceeds the configured scan size limit.
  2. From the When content is encrypted drop-down list, select the action the Firebox takes when Gateway AntiVirus cannot scan a file because it is encrypted (password protected).

This setting applies to Fireware v12.0.1 and higher. In lower versions of Fireware, when an encrypted file cannot be scanned, the Firebox takes the action configured for When a scan error occurs.

  1. To create log messages for the action, select the Log check box. If you do not want to record log messages for an action, clear the Log check box.
  2. To trigger an alarm for the action, select the Alarm check box. If you do not want to set an alarm for an action, clear the Alarm check box.
  3. In the Scan size limit text box, type the file scan limit in kilobytes. This sets the maximum size file that can be scanned by Gateway AntiVirus and IntelligentAV. For information about the default and maximum scan limits for each Firebox model, go to About Gateway AntiVirus Scan Limits.

The scan limit also controls the maximum size of files that APT Blocker sends for analysis. APT Blocker cannot send files larger than 10 MB for analysis. If you set the Gateway Antivirus scan limit to higher than 10 MB, APT Blocker does not send files larger than 10 MB for analysis.

If the Gateway AntiVirus engine is not available and a request to scan an object is made, the object will be treated as not scannable and return a Scan Request Failed error.

You can also configure Gateway AntiVirus actions in the Edit Policy Properties dialog box.

  1. Double-click the policy.
  2. Select the Properties tab.
  3. Click .
  4. From the Categories list, select AntiVirus.

If you enable DLP and Gateway AntiVirus for the same proxy action, the larger configured scan limit is used for both services.

For the HTTP proxy (and the Explicit and TCP-UDP proxies), the General Gateway AntiVirus settings only apply when AV Scan is selected in the Action drop-down lists on the URL Paths, Content Types, and Body Content Types rules for the policy.

You can configure an HTTP proxy to scan objects based on content types and body content types. For more information, go to Optimize Gateway AntiVirus.

By default, when you enable Gateway AntiVirus for a proxy policy from the Gateway AntiVirus configuration, the default action for content that does not match a proxy rule is automatically set to AV Scan. You can improve Gateway AntiVirus performance if you change the default action for HTTP content that does not match a configured proxy rule. For more information, go to Configure Gateway AntiVirus Actions for HTTP Content.

When you enable Gateway AntiVirus in a proxy action, a warning message appears in the Gateway AntiVirus settings if automatic updates are disabled for Gateway AntiVirus signatures. To configure automatic updates, go to Configure the Gateway AntiVirus Update Server.

Related Topics

Update Gateway AntiVirus Settings

Optimize and Troubleshoot Gateway AntiVirus